This document will teach you how to install Linux FreeS/WAN. If your distribution comes with Linux FreeS/WAN, we offer tips to get you started.
To install FreeS/WAN you must:
There are three basic ways to get FreeS/WAN onto your system:
FreeS/WAN comes with these distributions.
If you're running one of these, include FreeS/WAN in the choices you make during installation, or add it later using the distribution's tools.
Your distribution may have integrated extra features, such as Andreas Steffen's X.509 patch, into FreeS/WAN. It may also use custom startup script locations or directory names.
If your FreeS/WAN came with your distribution, you may wish to generate a fresh RSA key pair. FreeS/WAN will use these keys for authentication.
To do this, become root, and type:
ipsec newhostkey --output /etc/ipsec.secrets --hostname xy.example.com chmod 600 /etc/ipsec.secrets
where you replace xy.example.com with your machine's fully-qualified domain name. Generate some randomness, for example by wiggling your mouse, to speed the process.
The resulting ipsec.secrets looks like:
: RSA { # RSA 2192 bits xy.example.com Sun Jun 8 13:42:19 2003 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=0sAQOFppfeE3cC7wqJi... Modulus: 0x85a697de137702ef0... # everything after this point is secret PrivateExponent: 0x16466ea5033e807... Prime1: 0xdfb5003c8947b7cc88759065... Prime2: 0x98f199b9149fde11ec956c814... Exponent1: 0x9523557db0da7a885af90aee... Exponent2: 0x65f6667b63153eb69db8f300dbb... Coefficient: 0x90ad00415d3ca17bebff123413fc518... } # do not change the indenting of that "}"
In the actual file, the strings are much longer.
You can now start FreeS/WAN and test whether it's been successfully installed..
These instructions are for a recent Red Hat or Fedora Core with a stock Red Hat or Fedora Core kernel. We know that Mandrake and SUSE also produce FreeS/WAN RPMs. If you're running either, install using your distribution's tools.
Decide which functionality you need:
For 2.6 kernels, get the latest FreeS/WAN userland RPM, for example:
freeswan-userland-2.06.9-0.i386.rpm
Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please see 2.6.known-issues, and the latest mailing list reports.
Change to your new FreeS/WAN directory, and make and install the
For 2.4 kernels, get both kernel and userland RPMs. Check your kernel version with
uname -r
Get a kernel module which matches that version. For example:
freeswan-module-2.06_2.4.20_20.9-0.i386.rpm
Note: These modules will only work on the Red Hat or Fedora Core kernel they were built for, since they are very sensitive to small changes in the kernel.
Get FreeS/WAN utilities to match. For example:
freeswan-userland-2.06_2.4.20_20.9-0.i386.rpm
While you're at our ftp site, grab the RPM signing key
freeswan-rpmsign.asc
If you're running RedHat 8.x or later, import this key into the RPM database:
rpm --import freeswan-rpmsign.asc
For RedHat 7.x systems, you'll need to add it to your PGP keyring:
pgp -ka freeswan-rpmsign.asc
Check the digital signatures on both RPMs using:
rpm --checksig freeswan*.rpm
You should see that these signatures are good:
freeswan-module-2.06_2.4.20_20.9-0.i386.rpm: pgp md5 OK freeswan-userland-2.06_2.4.20_20.9-0.i386.rpm: pgp md5 OK
Become root:
su
For a first time install, use:
rpm -ivh freeswan*.rpm
To upgrade existing RPMs (and keep all .conf files in place), use:
rpm -Uvh freeswan*.rpm
If you're upgrading from FreeS/WAN 1.x to 2.x RPMs, and encounter problems, see this note.
Now, start FreeS/WAN and test your install.
Your choices are:
Download the source tarball you've chosen, along with any patches.
While you're at our ftp site, get our source signing key
freeswan-sigkey.asc
Add it to your PGP keyring:
pgp -ka freeswan-sigkey.asc
Check the signature using:
pgp freeswan-2.06.tar.gz.sig freeswan-2.06.tar.gz
You should see something like:
Good signature from user "Linux FreeS/WAN Software Team ([email protected])". Signature made 2002/06/26 21:04 GMT using 2047-bit key, key ID 46EAFCE1
As root, unpack your FreeS/WAN source into /usr/src.
su mv freeswan-2.06.tar.gz /usr/src cd /usr/src tar -xzf freeswan-2.06.tar.gz
Now's the time to add any patches. The contributor may have special instructions, or you may simply use the patch command.
Choose one of the methods below.
Note: FreeS/WAN's support for 2.6 kernel IPsec is preliminary. Please see 2.6.known-issues, and the latest mailing list reports.
Change to your new FreeS/WAN directory, and make and install the FreeS/WAN userland tools.
cd /usr/src/freeswan-2.06 make programs make install
Now, start FreeS/WAN and test your install.
To make a modular version of KLIPS for 2.2 and 2.4 kernels, along with other FreeS/WAN programs you'll need, use a command sequence like the one below. This will change to your new FreeS/WAN directory, make the FreeS/WAN module (and other stuff), and install it all.
cd /usr/src/freeswan-2.06 make menumod # just save and exit make minstall
Start FreeS/WAN and test your install.
To link KLIPS statically into your kernel on 2.2, 2.4 or 2.6 (using your old kernel settings), or to build a KLIPS module for 2.6, you'll need to patch the kernel itself. The following will change to your new FreeS/WAN directory, compile KLIPS into your kernel (and other stuff), and install it all.
cd /usr/src/freeswan-2.06 make [KERNELSRC=/usr/src/linux-2.6.1-1.47] menugo # just save and exit make minstall
The KERNELSRC argument is necessary for 2.6 kernels, as it defaults to /usr/src/linux-2.4.
Reboot your system and test your install.
For other ways to compile KLIPS, see our Makefile.
Bring FreeS/WAN up with:
service ipsec start
This is not necessary if you've rebooted.
To check that you have a successful install, run:
ipsec verify
You should see at least:
Checking your system to see if IPsec got installed and started correctly Version check and ipsec on-path [OK] Checking for KLIPS support in kernel [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK]
If any of these first four checks fails, see our troubleshooting guide.
There are at least a couple of things on your system that might interfere with FreeS/WAN, and now's a good time to check these:
You'll need to configure FreeS/WAN for your local site. Have a look at our opportunism quickstart guide to see if that easy method is right for your needs. Or, see how to configure a network-to-network or Road Warrior style VPN.